Everywhere, in every city and every nation, the foreheads of information executives are growing damp with anxious sweat. Fear is spreading like one of those nasty new computer viruses we hear about almost every day. And that old whipping boy, the maladjusted juvenile hacker getting his kicks by stealing, destroying or corrupting corporate data, is not the only bogy keeping IT leaders jumping at shadows.
The demons are legion. There's the disgruntled employee who accesses payroll records and posts his supervisor's salary on the Internet for everyone to see.
There's the misanthrope who spams e-mail systems with tens of thousands of inane messages, overloading them and shutting them down. There's the spy, the business competitor, who taps into your intranet to steal your company's crown jewels.
These scenarios have become a regular feature of the IT landscape, according to recent security reports (see "Scary Numbers"). In fact, a joint survey by the FBI and the Computer Security Institute (CSI) reported that breaches in computer security cost 163 large US companies and government organisations $124 million in losses last year. And if that number seems low, remember that only a small fraction of companies report security breaches. No one likes to advertise their vulnerability. It makes stockholders nervous.
No one is immune. The Pentagon reportedly detects as many as 100 hacks on its systems in a typical week. A NATO spokesperson told reporters in late March that as the conflict in the Balkans escalated, Yugoslav hackers assaulted the alliance's Web site with a barrage of viruses and unwanted e-mails, trying (and on occasion succeeding) to bring down the site. The Associated Press reported in September 1998 that a computer expert hacked into telecommunications company US West 's computers, wreaking significant havoc. Also that September, The New York Times Web site was attacked. The situation is becoming so serious that President Clinton proposed earlier this year that $1.46 billion be budgeted in 2000 to protect the country's critical infrastructure and that government agencies recruit a "Cyber Corps" of security experts to respond to future computer crises. This proposal, Clinton claimed, increases government spending on this issue by 40 per cent.
"Cyberspace is America's Achilles' heel," says Mark Gembicki, a security expert and chief technology officer at WarRoom Research , a security and intelligence consultancy. "Corporate America is now borderless, and cyberterrorism is a very real, serious threat to our economy." When the now-infamous Melissa virus struck in late March, it became the most prolific computer bug to date, clogging the e-mail files of companies all over the world. In the end, Melissa turned out to be more of an annoyance than a catastrophe. But it was bad enough that some companies, including Microsoft and Lucent Technologies , had to shut down their e-mail systems as they tried to swat the bug. No one can say how much business or how much money was lost during the downtime.
And Melissa could have been worse. "Much tougher [viruses] are on the way," says Steve Hunt, an analyst at Giga Information Group, a consultancy based in.
"Companies need to know this is the just the beginning." Some already do. Oliver Butler, CIO and vice president of Commonwealth Edison , the Chicago-based electric utility, says that as companies put more of their eggs in the technology basket, viewing e-commerce, for example, as a route to competitive advantage, they assume a greater degree of risk, exposing precious corporate data to danger. Therefore, information security becomes critical. But while an explosion in new security technologies promises to help corporations protect that precious data, one factor can frustrate even the most sophisticated security systems: the people who use or, more to the point, don't use them.
Dazed and Confused
IS departments today feel obliged to demand increasingly stringent security practices within the enterprise. But from where the employees sit, complex security procedures interfere with productivity, efficiency and ultimately profitability. Multiple log-ons and passwords that must change frequently and must be too complex for hackers to guess-and are therefore difficult for employees to remember-are becoming the norm. In the interest of security, IS departments are severely restricting e-mail use, limiting and monitoring communications and often banning the exchange of attachments. They are also installing more and more robust firewalls around their extranets. But limiting e-mail limits communication. And extranet firewalls slow network traffic as the software inspects content and authenticates users. The proliferation of small devices such as personal digital assistants and downloaded software applications create another flashpoint between IS departments and the people they are supposed to serve. Throw in the enterprise partners and customers who are clamoring for access and service via the Web and the picture for information security management becomes truly complicated.
"As networks become more open-ended, IT has to be even more concerned that proprietary information can now be accessed by unknown individuals," Giga's Hunt says. "IT is taking more of a big brother attitude and this is frustrating users." Many of the battles, according to Hunt, revolve around decisions over access.
"The managers are saying to IT, 'Who are you to say who has access to that data?' and IT is saying, 'We have to maintain control to keep the company safe.'" And a lockdown on security doesn't frustrate just internal users. Ted Julian, an analyst with Forrester Research says that it can also stand in the way of the business units' desire to bond electronically with customers, partners and suppliers. While IT and the business go around and around over whether a supply chain link with a partner can be adequately secured, that link can evaporate as the partner ties the knot with an access-friendlier company.
Chevron is currently struggling with access issues, according to Alan Nunns, manager of information technology for Chevron Overseas Petroleum. In his current role, Nunns serves as a liaison between IT and the business side. He used to work in the geology division "and so as an internal customer, I understand the user point of view." He says the company is tackling the issue of how to open up electronic links to such partners as its overseas oil producers. "It's important for our business but raises real security questions," says Nunns. "This is a tough one for IT and business to agree on." The route to resolving the conflict, security experts say, is for everyone in the enterprise to view security as a strategic imperative with shared responsibility between IT and business. Getting user buy-in is absolutely key.
The stiffest encryption software will not work worth a damn if the laptop user disables it before launching a dial-in session to the home office. But getting to that ideal state of mutual accountability is not always easy.
Our Lips Are Sealed
Two years ago, as Chevron was increasingly conducting business on its network computing infrastructure, including its intranet and the Internet, a PricewaterhouseCoopers audit concluded that the strategy increased the company's vulnerability to attack. In response, Chevron mounted an initiative to give information protection and security a higher profile within the company.
According to Sheila Taylor, general manager of IT shared services for the Chevron Information Technology, business users were involved right from the start in any policy changes. Which had a not-entirely unexpected side benefit.
"The major change for us in managing IT in general has been taking it from being a separate entity to working very hard at integrating business and technology together," Taylor says. "The security piece was a major part of that." Rick McKillop, directory management and information protection supervisor at Chevron Information Technology, says that at the beginning of last year Chevron's business leaders called for a review of the company's security policies. Four groups of IT and business staffers were formed, with varying levels of membership and authority. All four discuss how to improve security without degrading network performance and productivity, McKillop says. "Since we've bought into the distributed computing environment and as we send more and more critical applications over this environment, we have to make sure it's secure and robust," he says.
Before the advent of the forums, security had been seen as largely IT's problem, according to Dennis Bourque, Chevron Information Technology's information protection and security planner. Now, says Bourque, "We're saying to the business side, security can't just be shoved onto IT; we are here to provide counsel and guidance, but you own the data-it is your responsibility to take care of it." And because the two sides are working together, business is taking the importance of information protection to heart while IT is beginning to understand that policies that don't take business needs into account will fail.
The profile and the status of security at Chevron got another boost last year when Taylor was named corporate champion of information protection. In her new role, Taylor reports directly to the chief technology officer on security issues. Butler at Commonwealth Edison works with a corporate communications staffer who is responsible for explaining changes in security policies to workers. Butler meets regularly with his information security officer and the corporate communications representative to hammer out what needs to be said and who needs to hear it. "We know that we can't bombard them with all sorts of e-mails or things on every little security issue, or they will start ignoring them altogether," Butler says.
Steve Sommer, CIO at Hughes, Hubbard & Reed, a New York City law firm, says he relies on the "embarrassment factor" in getting his 1,100 users worldwide to comply with security measures. "In the law," he says, "everything is your reputation for discretion and protecting client confidentiality. I tell them, wouldn't you be embarrassed if something got out?" But he also combats the huge apathy he encounters by having a simple, standardised computing platform.
"These are lawyers who don't want to be educated on how important security has become, but I just persist in getting out our policy and reminding them of it," says Sommer. Sommer says he also has installed Windows NT on laptops and desktops. NT enables IT to control how users change existing files and add new ones in addition to giving network administrators the power to track and monitor user activity.
It Works If You Work It
Some security analysts see improving technologies as the way to ensure user buy-in. When users don't comply with security standards, says Butler, "It's often the company's fault for having confusing or difficult-to-follow standards." Policies should be clearly stated, consequences for flouting them should be laid out and enforced.
Forrester's Julian says it is very important that security measures be completely transparent to the user. Forrester counsels companies to prioritize usability over restrictive security measures that limit access. Digital certificates-smart cards that contain embedded authorisation information-are an example of a technology that emphasizes usability by allowing people to move from application to application without having to reenter passwords or IDs.
Another hope for simplifying security measures is single sign-on (SSO) technology. With SSO, users are required to identify themselves only once before simultaneously accessing several different systems. Currently, the average employee must sign on to somewhere between five and eight systems every day, each requiring a separate password. In addition, most passwords must be changed every 30 to 90 days. To keep up, people often plaster their cubicle desks and walls with sticky notes. "Anyone walking through the typical Fortune 500 office today could just poke a head into a cube, grab a password and be in," says Giga's Hunt.
Of course, when the stickies get lost and the passwords are forgotten, the phones at the help desk start ringing and IT support costs go up. SSOs could be the cure for this disease.
The first year of Chevron's security effort was primarily spent reacting to various security emergencies, such as the onslaught of Melissa, Bourque says.
The company is now trying to be more proactive, devising a security compliance policy that would cut across its worldwide operations.
A key part of any company's strategic planning in the security arena is risk assessment. An absolutely secure system is one that's never used. Everything after that assumes a degree of risk.
"We have considerable work to do in this area," says Chevron's Taylor. "For instance, will we mandate that every executive who uses a laptop must use encryption technology? Do we put that technology on the hard drive? This introduces a real annoyance factor to users on the road-it slows down their access. So we must weigh these things," she says.
Weighing usability against the risk of data loss is a continuing exercise. For instance, Forrester argues that companies might consider not putting encryption technology on the hard drives of its sales reps' laptops. Typically, most data on a laptop simply isn't that sensitive; it's worth assessing the risk that the information could be compromised before routinely installing encryption.
Another issue companies need to address is how much money to budget for security and how many people should be dedicated to security matters. According to a study by GartnerGroup, most companies now spend less than 1 per cent of their operating budgets on security, whereas that figure should be closer to between 5 per cent and 8 per cent.
But building a competent security staff and buying the latest and greatest security technology can be very expensive. So for some, the answer is to outsource. When Len Carella, director of information technology at Newsweek in New York City, decided to revamp the magazine's security policies, he turned to Pilot Network Services , an Internet security provider. Pilot maintains Newsweek's external communications through two of its network security centers.
Virus scanning, user authentication, and firewall and proxy server maintenance-all are provided by Pilot, which sits like a watchful spider at the center of Newsweek's Web.
Some information protection analysts argue that ceding security to a third party simply adds another layer of risk. But, Carella says, "We just didn't want to spend the money and resources to do it ourselves. This [outsourcing arrangement] buys me peace of mind." Finding peace of mind will not be easy in the days to come. At this moment, very smart, very ruthless people are writing ever-more sinister viruses and devising new, sneakier ways to circumvent security measures of every kind.
There will be no magic bullet, no simple solution.
Get ready. It's going to be a bumpy ride.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.